US Senator has privacy concerns about Pokémon Go’s data collection

The popularity of augmented reality smartphone game Pokémon Go has raised a variety of concerns, including a warning by the National Safety Council, urging drivers not to play the game behind the wheel and asking pedestrians to be careful while playing it.

U.S. Senator Al Franken, a strong privacy advocate, has raised the inevitable question about the privacy of the extensive data the game collects from its users, including children, and whether the data is used for other purposes.

“I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent,” Franken, a Democrat from Minnesota, wrote in a letter Tuesday to John Hanke, the CEO of Niantic, the developer of the game.

Citing recent reports and the privacy policy of Pokémon Go, Niantic appears to collect a broad swath of personal information from its players, according to the senator. Ranging from the user’s general profile information to their precise location data and device identifiers, “Niantic has access to a significant amount of information, unless users - many of whom are children - opt-out of this collection,” Franken wrote.

Senator Franken wants to know whether all the information collected is necessary for the provision or improvement of services, or if there are any other purposes for which the data is collected. If some of the data is not not necessary for the provision of services, would the company offer an opt-in option to users for sharing that data, rather than the current opt-out choice.

The senator also wants to have the list of third-party service providers that Niantic says it shares data with in its privacy policy, and would like to know whether Pokémon Go also shares the data with its investors. “Pokemon GO has further indicated that it shares de-identified and aggregate data with other third parties for a multitude of purposes. Can you more exhaustively describe the purposes for which Pokemon GO would share or sell such data?,” he wrote.

Niantic ran into its first privacy issue earlier this week when it was disclosed that the game gave Niantic full access to a user’s Google account when setting up a game account on iOS devices. The company later said it had discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account, but assured users that only basic Google profile information like user ID and email address were accessed. It said it was working with Google on a fix to ensure permission for providing only the basic account information.

In its privacy policy, Niantic has said that it complies with "verifiable parental consent requirements mandated by the Children’s Online Privacy Protection Act (COPPA) and European data protection laws (including, without limitation, the Data Protection Directive)" through a verification and consent process handled by the Pokémon Trainer Club. “Apart from publicly available privacy policies, how does Niantic inform parents about how their child's information is collected and used?,” Franken asked in his letter.

Niantic outlines in its privacy policy that it collects location information, which may be shared with other players, besides being used to personalize or improve services. The service also collects a device identifier, user settings, and the operating system of the users’ device, as well as information about the use of its services from the mobile device, which it may use to improve and personalize services.

Niantic also collects log data, which it says “may include information such as a User’s Internet Protocol (IP) address, user agent, browser type, operating system, the web page that a User was visiting before accessing our Services, the pages or features of our Services to which a User browsed and the time spent on those pages or features, search terms, the links on our Services that a User clicked on, and other statistics.” The log data is used for administering services as well as analysis, including by third parties, to improve and customize the services, according to the privacy policy.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.